Microsoft Windows 95/WfW smbclient Directory Traversal Vulnerability. Remote exploit for windows platform
source: http://www.securityfocus.com/bid/1884/info Samba is a set of of programs that allow WindowsĂÂŽ clients access to a Unix server's filespace and printers over NetBIOS. A directory traversal vulnerability exists in Microsoft's implementation of the SMB file and print sharing protocol for Windows 95 build 490.r6 and Windows for Workgroups. smbclient normally rejects '/../' sequences in user-supplied pathnames before submitting them to the server. This prevents an attacker from traversing the server's directory tree and accessing files which would normally be inaccessible. Because the check for '/../' is peformed by smbclient, the server assumes the client is filtering invalid input. However, a modified client can be made to accept the restricted '/../' sequences, appending these characters to filenames and submitting them as a request to the server. Since the server leaves this input validation up to the client, once the server is provided with path information which contains '/../', it assumes it to be valid. As a result, a directory traversal becomes possible, granting an attacker access to normally-restricted portions of the host's filesystem. This can lead to the disclosure of security-related information, leaving the host open to further compromise. Connect to a resource using smbclient. Issue commands "cd ../" or "cd ..."